| ▲ | time4tea 2 hours ago | |||||||
Private key material should not be kept in the clear anywhere, ideally. This includes on your dev machine, serialised in a store, in the heap of your process, anywhere. Of course, it depends on your threat environment, but the article did mention pci-dss. If you put it in redis, then anyone that has access (internal baddies exist too!) can steal the key and sign something. Its hard to repudiate that. | ||||||||
| ▲ | flumpcakes an hour ago | parent [-] | |||||||
How far do you go, how do you use the private key to sign something if you can't keep it anywhere? | ||||||||
| ||||||||